Skip to main content

Worker nodes

While EKS will run the control plane for you, it’s up to you to create the worker nodes. Here are the key considerations:

Auto Scaling Group

We recommend using an Auto Scaling Group to run your worker nodes. This way, failed nodes will be automatically replaced, and you can use auto scaling policies to automatically scale the number of nodes up and down in response to load.

Tags

EKS requires that all worker node EC2 instances have a tag with the key kubernetes.io/cluster/<CLUSTER_NAME> and value owned.

Subnets

We strongly recommend running the Auto Scaling Group for your worker nodes in private subnets that are NOT directly accessible from the public Internet. See How to deploy a production-grade VPC on AWS for more info.

AMI

Each worker node will need Docker, kubelet, AWS IAM Authenticator, and a bootstrap script installed. We recommend using the Amazon EKS-Optimized AMI or one of the EKS partner AMIs (e.g., there is an Ubuntu AMI), as these already have all the necessary software installed.

User Data

Each worker node must register itself to the Kubernetes API. This can be done using a bootstrap script that is bundled with the EKS optimized AMI. We recommend running this bootstrap script as part of User Data so that it executes when the EC2 instance is booting.

IAM role

In order for the kubelet on each worker node to be able to make API calls, each worker node must have an IAM role with the following managed IAM policies: AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly.

Security group

You should define a security group that controls what traffic can go in and out of each worker node. The worker nodes must be able to talk to the control plane and vice versa: see Cluster Security Group Considerations for the ports you should open up between them.

Server hardening

There are a number of server-hardening techniques that you should apply to each worker node. This includes a secure base image (e.g., CIS hardened images), intrusion prevention (e.g., fail2ban), file integrity monitoring (e.g., Tripwire), anti-virus (e.g., Sophos), automatically installing critical security updates (e.g., unattended-upgrades for Ubuntu), locking down EC2 metadata (e.g., ip-lockdown), and so on.